South Korea’s largest online retailer, Coupang, has apologised for a massive data breach potentially involving nearly 34 million local customer accounts.
The country’s internet authority said that it is investigating the breach and that details from the millions of accounts have likely been exposed.
Coupang is often described as South Korea’s equivalent of Amazon.com. The breach marks the latest in a series of data leaks at major firms in the country, including its telecommunications giant, SK Telecom.
Coupang told the BBC it became aware of the unauthorised access of personal data of about 4,500 customer accounts on 18 November and immediately reported it to the authorities.
But later checks found that some 33.7 million customer accounts – all in South Korea – were likely exposed, said Coupang, adding that the breach is believed to have begun as early as June through a server based overseas.
The exposed data is limited to name, email address, phone number, shipping address and some order histories, Coupang said.
No credit card information or login credentials were leaked. Those details remain securely protected, and no action is required from Coupang users at this point, the firm added.
The number of accounts affected by the incident represents more than half of South Korea’s roughly 52 million population.
Coupang, which is founded in South Korea and is headquartered in the US, said recently that it had nearly 25 million active users.
Coupang apologised to its customers and warned them to stay alert to scams impersonating the company.
The firm did not give details on who is behind the breach.
South Korean media outlets reported on Sunday that a former Coupang employee from China was suspected of being behind the breach.
The authorities are assessing the scale of the breach as well as whether Coupang had broken any data protection safety rules, South Korea’s Ministry of Science and ICT said in a statement.
“As the breach involves the contact details and addresses of a large number of citizens, the Commission plans to conduct a swift investigation and impose strict sanctions if it finds a violation of the duty to implement safety measures under the Protection Act.”
The incident marks the latest in a series of breaches affecting major South Korean companies this year, despite the country’s reputation for stringent data privacy rules.
SK Telecom, South Korea’s largest mobile operator, was fined nearly $100m (£76m) over a data breach involving more than 20 million subscribers.
In September, Lotte Cards also said the data of nearly three million customers was leaked after a cyber-attack on the credit card firm.